The Pentagon awakens from cyberslumber

I must start this post by professing that I am a proud American citizen. I am proud of what my country stands for, its accomplishments and what its citizens are capable of when we come together for a common purpose. What I am not proud of is the things I learned today about how my nation handles security.

Foreign Affairs magazine published a story today titled "Defending a New Domain" that outlines the plans for the new US Cybersecurity Command. This focus on security within the Pentagon is embarrassingly long overdue. I am happy to see the seriousness with which the topic has been approached, and the depth and angles that have been considered in the development of their plans.

An incident in 2008 spurred much of the progress that has been made in developing this new strategy. Beginning in fall of 2008, someone in the military plugged in a USB stick infected with the agent-btz malware (Sophos first detected this in April 2007). Wired reports that this is a variant of the SillyFDC malware, which is a very common USB infector (Sophos has detected SillyFDC specifically since 2005, and generically since March 2008). They go on to report that these infections ran rampant throughout both classified and unclassified systems.

Was the Pentagon really so woefully deficient in their practices that off-the-shelf malware brought sensitive systems to their knees? This scares the bejeezus out of me. The implication is that computers and personnel responsible for our national security were not running up-to-date protection, that removable devices were being used recklessly and sensitive information was unencrypted.

William J. Lynn III, United States Deputy Secretary of Defense, proclaims in the article that the infection was a plant from a foreign intelligence service. This in and of itself sounds dubious, although I have no evidence that it was not the case. Would a targeted attack from a foreign government really use easy-to-detect, common malware to infiltrate the US military? Even more worrisome is that it may have actually been successful. Not only were we not protected against garden-variety malware, apparently our firewalls and internet connections allowed egress from the network out to anyone who may have been listening.

The story details the US plans for resolving the issues that put us at greatest risk. One surprise is that the focus is entirely on external adversaries. Earlier this year Bradley Manning was arrested for leaking sensitive information, including the now-famous "Collateral Murder" video, to Wikileaks. Manning was a Private in the US Army and had bragged about these leaks to hacker Adrian Lamo. The insider threat seems to be ignored by Lynn and seems to demonstrate the absence of encryption and auditing you would expect to be in place to protect sensitive information.

Another incident that received a lot of press last year involved insiders who were not practicing safe computing and did not have effective controls in place. In May of 2009 it was reported that blueprints and other secret information about the Joint Strike Fighter and Marine One were available on peer-to-peer networks. The external threat is certainly a big one, but let us not forget that more information is lost by insiders than through intrusions.

The Deputy Director also talks about the security of software and devices being used by the military and the risk of backdoors and booby-traps. Perhaps the Director should have a stern conversation with Steve Balmer about why Microsoft shared the Windows and Office source code with the Russian FSB. Wired reported that the "foreign intelligence service" behind the agent-btz attack was leaked to be the Russians. If we are truly concerned about foreign attacks against our production and critical computers, should we be handing code over to our adversaries that enables them to find exploits?

The government proposes that we work together to ensure that .com and .gov computers can be brought up to the security standard of the .mil networks to protect our critical infrastructure. Really? From what I am reading into the current state of affairs at .mil, many of the organizations we work with in defense, manufacturing, finance, and critical systems are many steps ahead of .mil. I can't speak to the state of .gov, but .com is certainly not any worse off than .mil.

Some of the most important policy changes are being made to the procurement process for technology and balancing risk/cost/speed appropriately moving forward. The average time from budget approval to implementation is currently 81 months. No wonder we are behind the curve. As any CISSP knows, it is important to carefully balance defensive measures with the cost of implementation and this is very good news if it is implemented properly.

As my colleague and fellow blogger Paul Ducklin from over in Australia remarked when we discussed this a couple of hours ago, "Methinks the Deputy Secretary doth protest too much."

And as Paul also pointed out, some of the military analogies are bogus, too. The story attempts to contrast conventional warfare and cyberwarfare. "Whereas a missile comes with a return address, a computer virus generally does not." But missiles don't always come with one that is useful. If they did, Osama bin Laden would have been captured or killed many years ago.

This is clearly a PR piece to announce the new initiatives being taken by the Obama administration. I am very pleased to see such a coordinated effort, but this is just the first step in a long journey. I will be referencing this story for many years to come as an example of what organizations need to do, and hopefully stay one step ahead of the most powerful nation in the world.

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics.
You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.